← Back to Skills Marketplace
brennerspear

gog-safety

by BrennerSpear · GitHub ↗ · v1.0.1
cross-platform ⚠ suspicious
380
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install gog-safety
Description
Build and deploy safety-profiled gogcli binaries with compile-time command removal. Use when setting up gog for an AI agent with restricted permissions — cho...
README (SKILL.md)

gog Safety Profiles

Build and deploy gog binaries with compile-time command removal. Commands that are disabled don't exist in the binary — no runtime bypass possible.

Quick Start

1. Choose a safety level

Level Use case Can send email/chat?
L1 Email triage, drafting, inbox organization No
L2 L1 + commenting, RSVP, collaborative work No
L3 Full write access, no dangerous admin ops Yes

For full details: references/levels.md

2. Build

# Build for current platform
./scripts/build-gog-safe.sh L1

# Cross-compile for Linux ARM64 (e.g., AWS Graviton)
./scripts/build-gog-safe.sh L1 --arch arm64 --os linux

# Custom output
./scripts/build-gog-safe.sh L2 --output /tmp/gog-l2

Requires: Go 1.22+, git. First run clones the PR #366 branch (~30s).

3. Deploy

# Deploy to a remote host via SSH
./scripts/deploy-gog-safe.sh spock /tmp/gogcli-safety-build/bin/gog-l1-safe

# Deploy with verification (tests blocked + allowed commands)
./scripts/deploy-gog-safe.sh spock /tmp/gogcli-safety-build/bin/gog-l1-safe --verify

The deploy script:

  • Backs up the existing gog as gog-backup
  • Installs the new binary
  • Verifies version output
  • Optionally tests that blocked commands are gone and allowed commands work

4. Rollback

ssh \x3Chost> 'sudo mv /usr/local/bin/gog-backup /usr/local/bin/gog'

How It Works

Uses gogcli's compile-time safety profiles feature (PR #366 on steipete/gogcli). A YAML file specifies which commands are enabled (true) or removed (false). The build system generates Go source files with only the enabled commands, then compiles. The resulting binary's version is tagged with -safe.

YAML Profiles

In references/:

  • l1-draft.yaml — Draft & Organize
  • l2-collaborate.yaml — Draft & Collaborate
  • l3-standard.yaml — Full Write (No Admin)

Custom profiles: copy any YAML, edit the true/false flags, pass to build-gog-safe.sh.

Verification

After deployment, verify with:

ssh \x3Chost> "gog --version"                     # Should show -safe suffix
ssh \x3Chost> "gog gmail send --help 2>&1"        # Should fail (L1/L2)
ssh \x3Chost> "gog gmail drafts create --help"    # Should work (all levels)

Known Edge Cases

  • Filter forwarding: gmail settings filters create is allowed at L1+ for inbox organization. A filter with a forward action could auto-forward email. Accepted risk for v1.
  • Drive sharing: drive share is allowed at L1+ because sharing grants access without sending a message notification. The shared user sees it in "Shared with me" but doesn't get an email.
Usage Guidance
This skill appears to do what it says (build and deploy safety‑profiled gog binaries) but before using it: 1) verify the upstream repository and branch being cloned (https://github.com/drewburchfield/gogcli-safe.git, branch feat/safety-profiles) actually contains the intended PR/patch — the SKILL.md refers to steipete/gogcli#366 so confirm the fork is trustworthy or prefer the official upstream commit/hash; 2) inspect the cloned code, especially cmd/gen-safety and any build scripts, because the build runs 'go run' (i.e., executes code from that repo) and could run arbitrary actions on your build machine; 3) run builds in an isolated environment (container/VM) and only deploy binaries you have reviewed; 4) ensure the deploying user has appropriate sudo/backup procedures on target hosts (deploy will overwrite /usr/local/bin/gog and creates gog-backup); and 5) update any registry metadata or provenance notes to declare required tools (git, Go) and the exact upstream commit/URL you reviewed. If you cannot or will not review the upstream source, treat this as higher risk and avoid running the build on sensitive hosts.
Capability Analysis
Type: OpenClaw Skill Name: gog-safety Version: 1.0.1 This skill bundle automates the compilation and remote deployment of a modified 'gogcli' binary, which involves high-risk operations such as replacing system-level binaries in /usr/local/bin via SSH and sudo (scripts/deploy-gog-safe.sh). While the stated purpose is to enhance safety by removing dangerous commands at compile-time, the build script (scripts/build-gog-safe.sh) fetches source code from a third-party fork (github.com/drewburchfield/gogcli-safe.git) rather than the official upstream repository. This creates a significant supply chain risk where a backdoored version of a tool with access to Google Workspace data could be deployed under the guise of a security hardening measure.
Capability Assessment
Purpose & Capability
The name/description (build+deploy safety-profiled gog binaries) matches the included scripts, YAML profiles, and SKILL.md instructions. One mismatch: registry metadata lists no required binaries, but SKILL.md and scripts explicitly require git and Go (Go 1.22+) and use ssh/scp for deployment. Those tools are reasonable for the stated purpose but should be declared.
Instruction Scope
Instructions and scripts stay within the declared goal: choosing a YAML profile, injecting it into a gogcli checkout, running a code generator (go run ./cmd/gen-safety), building the binary, and deploying via scp/ssh. However, the build step runs code from the cloned repository (go run), which means arbitrary code in that repo will execute on the builder machine — this is expected for a source build but is a notable risk that requires review of the upstream source before running.
Install Mechanism
There is no packaged install spec; the scripts clone an external repository (UPSTREAM_REPO=https://github.com/drewburchfield/gogcli-safe.git, branch feat/safety-profiles) and run code from it. The SKILL.md references steipete/gogcli PR #366 but the clone target is a different fork/URL, which is a potential coherence issue: either a mirror or an unverified fork. Cloning and executing code from an external/unverified repo is the highest‑risk install pattern here and should be reviewed.
Credentials
The skill does not request environment variables or credentials. Deployment uses ssh/scp and remote sudo to replace /usr/local/bin/gog, which is proportionate but requires privileged access on remote hosts. There is no evidence the skill tries to access unrelated credentials or local config paths, but building executes upstream code (see instruction_scope) which could access the builder environment if malicious.
Persistence & Privilege
always is false and the skill does not request persistent platform-level privileges. The deploy script replaces a system binary on remote hosts (requires sudo there) which is expected for installing a CLI binary; no self-modifying or cross-skill config changes are present.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install gog-safety
  3. After installation, invoke the skill by name or use /gog-safety
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
Remove Tycho branding from profile names and references
v1.0.0
Initial release — compile-time safety profiles for gogcli (L1/L2/L3)
Metadata
Slug gog-safety
Version 1.0.1
License
All-time Installs 0
Active Installs 0
Total Versions 2
Frequently Asked Questions

What is gog-safety?

Build and deploy safety-profiled gogcli binaries with compile-time command removal. Use when setting up gog for an AI agent with restricted permissions — cho... It is an AI Agent Skill for Claude Code / OpenClaw, with 380 downloads so far.

How do I install gog-safety?

Run "/install gog-safety" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is gog-safety free?

Yes, gog-safety is completely free (open-source). You can download, install and use it at no cost.

Which platforms does gog-safety support?

gog-safety is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created gog-safety?

It is built and maintained by BrennerSpear (@brennerspear); the current version is v1.0.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 Comments